DET0404 Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows

Item	Value
ID	DET0404
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.004 (Winlogon Helper DLL)

Analytics

Windows

AN1133

Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.

Log Sources

Data Component	Name	Channel
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Security	modification to Winlogon registry keys such as Shell, Notify, or Userinit
Windows Registry Key Access (DC0050)	Autoruns:RegistryScan	Enumerate Winlogon subkeys for unknown or unsigned binaries

Mutable Elements

Field	Description
TimeWindow	Time correlation between registry modification and malicious module load or process creation
UserContext	Privilege level or user context under which registry changes or process executions occur
BinarySignatureValidation	Whether to validate binary signatures when DLLs are loaded via Winlogon helper paths
ExecutablePathScope	Scope of directories considered suspicious for helper DLLs (e.g., temp paths, non-System32 locations)